Re: [phplib] Auth - password changes From: Seoman (seoman <email protected>)
Date: 05/15/00

The only thing I can think of that would be completely secure would be to do
the password-changing over SSL with a secure webserver. Or implement some
cryptographic cypher in JavaScript (and good luck to you if you do :) ). The
problem is that, in allowing the user to set/change the password over the
web, you are trying to exchange a sensitive piece of information over an
insecure channel; no amount of MD5ing (or any other hash function) will
change that.

Sending a randomly generated password over email would probably be the
'safest' bet if you don't want to use public-key cryptography, but users
would likely complain about not being able to set their own passwords
(especially if the passwords look like line noise).

All-in-all, if you're concerned about that kind of security, you should
probably be investing in a secure webserver anyway. It is far more likely
that someone would try to sniff the session cookie of someone that is logged
in to attempt to gain access than any other method, and this works even if
you use challenge-auth. The only way to combat that kind of attack is to use
SSL.

____________________________________________
Nathaniel Price <seoman <email protected>>
"Microsoft Works? Isn't that an oxymoron?"

----- Original Message -----
From: "Karl Zimmermann" <kzi <email protected>>
To: <phplib <email protected>>
Sent: Monday, May 15, 2000 6:15 PM
Subject: [phplib] Auth - password changes

>
> With PHP4 now having session management functions, I think that the most
> commonly used feature of PHPLib will probably be the auth functionality,
which
> helps avoiding sending passwords in plain text. Unfortunately, auth
doesn't provide
> that feature when the client sends a new password in cases of self
registering or
> password change.
>
> Encoding such a password with md5 before sending it is no solution, as it
gives an
> unwanted observer the result string stored in the password table.
>
> The problem of self registering could partly be solved when the first
password is
> randomly generated at the server side and send to the client via another
channel, say
> for example email. That is not perfect, but it adds to the burden of an
unwanted
> observer.
>
> To solve the problem of password change, one needs encrypt/decrypt
functionality,
> not provided by the md5 algorithm.
>
> For example, the encryption of the new password on the client side could
be made
> by using the response string of crcloginform, generated with the old
password, as
> secret key, which is then decrypted with the same key on the server side.
I am aware
> that Php, through the mcrypt library, offers encrypt/decrypt
functionality, but I don't
> know if Javascript offers compatible encryption algorithms.
>
> Any comments or ideas?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>